Using Cloud Spanner in a Virtual Machine Instance

Your instance can access the Cloud Spanner API from Compute Engine by
using a service account to act on your behalf. The service account provides
application default credentials
for your applications so that you do not need to configure each
Compute Engine instance to use your personal user credentials.

Configure the service account on your instance with one of the following
options:

In the Identity and API access section, click Allow full access to all Cloud APIs.

Configure other instance settings as needed, then click Create.

Now that the service account on your Compute Engine instance has access
to the Cloud Spanner API, use a client library to read
and write data in your Cloud Spanner database. The instance uses the
credentials from the default service account to authenticate with the
Cloud Spanner API.

Configure an instance with a service account

To restrict instance access to specific APIs and roles, create a service
account with permission only to access your Cloud Spanner
databases. Then, apply the service account to your instance.

Select a service account that will act on your behalf to access
Cloud Spanner. Use one of the following options:

In the Identity and API access section, select the service account
from the list under Service account.

Configure other instance settings as needed, then click Create.

Now that the service account on your Compute Engine instance has access
to the Cloud Spanner API, use a client library to read
and write data in your Cloud Spanner database. The instance uses the
service account credentials to authenticate with the Cloud Spanner API.